I’m trying to config a HAP ax lite as an AP.
My setup is 2011UiAS with 5 cAP ac (via CAPsMAN), and everything is connected through a DGS-1210-48 (managed switch).
I have vlans to separate guests (20) from POS equipment (30), and base vlan (99 - to give internet access for firmware updates/NTP/etc for the cAPs). I’ve configured the RB and cAPs so they are provisioned through capsman, and everything works fine. Ports on the switch are tagged/untagged properly.

The HAP will only provide wifi to POS equipment, so I will set it up manually (not capsman, which also gives guest wifi).

I can connect to the HAP wifi (I set the ip / gateway / dns manually on the POS equipment).
The HAP needs to communicate with the 192.168.7.0 net (where the POS equpiment is) and over vlan 30.
The DGS switch has ip 192.168.64.2.
All equipment runs 7.14.3. RB and cAP AC has wireless package while HAP ax lite has wifi-qcom package. Do RB also needed wifi-qcom?
I can’t reach the internet with the below config. What am I doing wrong?

/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Norway .mode=ap .ssid=LightSpeed_Ute disabled=no
/interface bridge port
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=ether1
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 vlan-ids=20
add bridge=bridgeLocal tagged=ether1 vlan-ids=30
add bridge=bridgeLocal tagged=ether1 vlan-ids=99
/ip address
add address=192.168.7.50/24 interface=ether1 network=192.168.7.0
/ip dhcp-client
add interface=bridgeLocal
/ip dns
set servers=192.168.7.1,8.8.8.8
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=HAP_Ute
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=79.160.13.250
add address=162.159.200.1
/tool romon
set enabled=yes

Mainly changes recommended:

/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=no name=Off-Bridge

/interface vlan
add interface=bridgeLocal name=baseVLAN vlan-id=99

/interface list
add name=MANAGE

/interface bridge port
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi1 pvid=20
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1

/interface list members
add interface=baseVLAN list=MANAGE
add interface=Off-Bridge list=MANAGE

/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=99
add bridge=bridgeLocal tagged=ether1 untagged=wifi1 vlan-ids=20

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/ip address
add address=192.168.7.50/24 interface=baseVLAN network=192.168.7.0
add address=192.168.55.1/30 interface=Off-Bridge network=192.168.55.0

/ip dhcp-client
add interface=bridgeLocal disabled=yes

/ip dns
set servers=192.168.7.1

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.7.1 routing-table=main

/system ntp client servers
add address=192.168.7.1

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

+++++++++++++++++++++++++++++++++++

The idea of off bridge access, is actually a safer way to configure any MT device when using vlan filtering. It can get ornery and being off the bridge making the changes simply works very well.
So in this case attach a pc or laptop to ether4 and then change the nic card settings, ipv4 settings to an IP address of 192.168.55.2 etc… 255.255.255.0 and gateway 192.168.55.1 and you should have access.

Thanks!

By the way, would you like to take a look at the routerboard config, and see if it corresponds well with the HAP?
(I accidentally said POS equipment was vlan 20, but it’s 30 - i’ll fix in the HAP config you suggested).

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_ext_switch
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
add interface=bridge1 name=Employee_VLAN vlan-id=10
add interface=bridge1 name=GuestWIFI_VLAN vlan-id=20
add interface=bridge1 name=Lightspeed_VLAN vlan-id=30
/caps-man datapath
add bridge=bridge1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 local-forwarding=yes name=datapath-lightspeed vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-lightspeed
add authentication-types="" encryption="" name=security-guest
/caps-man configuration
add channel=Ch06_20M_24G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-2.4-lightspeed-ch06 security=security-lightspeed ssid=Lightspeed_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-2.4-lightspeed-ch11 security=security-lightspeed ssid=Lightspeed_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-2.4-lightspeed-ch12 security=security-lightspeed ssid=Lightspeed_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-2.4-lightspeed-ch13 security=security-lightspeed ssid=Lightspeed_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-5ghz-lightspeed-ch36 security=security-lightspeed ssid=Lightspeed_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-5ghz-lightspeed-ch40 security=security-lightspeed ssid=Lightspeed_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-5ghz-lightspeed-ch48 security=security-lightspeed ssid=Lightspeed_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-lightspeed distance=indoors installation=indoor mode=ap name=cfg-5ghz-lightspeed-ch44 security=security-lightspeed ssid=Lightspeed_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch06 security=security-guest ssid="Guests"
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid="Guests"
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid="Guests"
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid="Guests"
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid="Guests"
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid="Guests"
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid="Guests"
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid="Guests"
/caps-man interface
add configuration=cfg-2.4-lightspeed-ch06 disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none name=2.4GHz--AP_Bar-1 radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A
add configuration=cfg-2.4-guest-ch06 disabled=no l2mtu=1600 mac-address=C6:AD:34:14:34:2A master-interface=2.4GHz--AP_Bar-1 name=2.4GHz--AP_Bar-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD3414342A
add configuration=cfg-2.4-lightspeed-ch12 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none name=2.4GHz--AP_Chambre-1 radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C
add configuration=cfg-2.4-guest-ch12 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AA:6C master-interface=2.4GHz--AP_Chambre-1 name=2.4GHz--AP_Chambre-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AA6C
add configuration=cfg-2.4-lightspeed-ch13 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none name=2.4GHz--AP_Messanin-1 radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19
add configuration=cfg-2.4-guest-ch13 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AF:19 master-interface=2.4GHz--AP_Messanin-1 name=2.4GHz--AP_Messanin-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AF19
add configuration=cfg-2.4-lightspeed-ch11 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:76 master-interface=none name=2.4GHz--cAP-Kontor radio-mac=C4:AD:34:9E:E7:76 radio-name=C4AD349EE776
add configuration=cfg-5ghz-lightspeed-ch36 disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none name=5GHz--AP_Bar-1 radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B
add configuration=cfg-5ghz-guest-ch36 disabled=no l2mtu=1600 mac-address=C6:AD:34:14:34:2B master-interface=5GHz--AP_Bar-1 name=5GHz--AP_Bar-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD3414342B
add configuration=cfg-5ghz-lightspeed-ch48 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none name=5GHz--AP_Chambre-1 radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D
add configuration=cfg-5ghz-guest-ch48 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AA:6D master-interface=5GHz--AP_Chambre-1 name=5GHz--AP_Chambre-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AA6D
add configuration=cfg-5ghz-lightspeed-ch44 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none name=5GHz--AP_Messanin-1 radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A
add configuration=cfg-5ghz-guest-ch44 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AF:1A master-interface=5GHz--AP_Messanin-1 name=5GHz--AP_Messanin-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AF1A
add configuration=cfg-5ghz-lightspeed-ch40 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:77 master-interface=none name=5GHz--cAP-Kontor radio-mac=C4:AD:34:9E:E7:77 radio-name=C4AD349EE777
add configuration=cfg-2.4-guest-ch11 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:76 master-interface=2.4GHz--cAP-Kontor name=2.4GHz--cAP-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE776
add configuration=cfg-5ghz-guest-ch40 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:77 master-interface=5GHz--cAP-Kontor name=5GHz--cAP-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE777
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=WinboxAccess
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_guest ranges=192.168.88.20-192.168.88.250
add name=dhcp_pool_lightspeed ranges=192.168.7.120-192.168.7.254
add name=dhcp_pool_ap_mgmt ranges=192.168.64.5-192.168.64.254
/ip dhcp-server
add address-pool=dhcp_pool_guest interface=GuestWIFI_VLAN lease-time=2h59m name=dhcp_server_guest
add address-pool=dhcp_pool_lightspeed interface=Lightspeed_VLAN lease-time=23h59m59s name=dhcp_server_lightspeed
add address-pool=dhcp_pool_ap_mgmt interface=bridge1 lease-time=1h name=dhcp_server_ap_mgmt
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-lightspeed-ch06 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:14:34:2A slave-configurations=cfg-2.4-guest-ch06
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-lightspeed-ch11 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:E7:76 slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-lightspeed-ch12 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=74:4D:28:F9:AA:6C slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-lightspeed-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=74:4D:28:F9:AF:19 slave-configurations=cfg-2.4-guest-ch13
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-lightspeed-ch36 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:E7:77 slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_Bar hw-supported-modes=ac master-configuration=cfg-5ghz-lightspeed-ch40 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:14:34:2B slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-lightspeed-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=74:4D:28:F9:AF:1A slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-lightspeed-ch48 name-format=prefix-identity name-prefix=5GHz- radio-mac=74:4D:28:F9:AA:6D slave-configurations=cfg-5ghz-guest-ch48
/interface bridge port
add bridge=bridge1 interface=eth2_ext_switch
/ip neighbor discovery-settings
set discover-interface-list=WinboxAccess
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=10
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=20
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=30
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=VLAN
add interface=GuestWIFI_VLAN list=VLAN
add interface=Lightspeed_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=bridge1 list=BASE
add interface=Employee_VLAN list=WinboxAccess
add interface=Lightspeed_VLAN list=WinboxAccess
add interface=bridge1 list=WinboxAccess
/ip address
add address=192.168.64.1/24 interface=bridge1 network=192.168.64.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=x.x.x.x/24 interface=eth1_WAN network=x.x.x.x
add address=192.168.1.1/24 interface=Employee_VLAN network=192.168.1.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Lightspeed_VLAN network=192.168.7.0
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Lightspeed" dns-server=8.8.8.8,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.64.0/24 comment="DHCP for Access-points" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.64.1
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.1.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.0.0.0/8 list=rfc1918
add address=172.16.0.0/12 list=rfc1918
add address=192.168.0.0/16 list=rfc1918
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=accept chain=input comment="Allow Access to Router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow VLAN to DNS-TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN to DNS-UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=VLAN log=yes log-prefix=LAN_!LAN src-address-list=!rfc1918
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="BASE Internet Access only (gives internet locally on cAP)" connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=VLAN
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=BASE
add action=drop chain=forward comment="DROP All Else"
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" in-interface-list=WAN src-address-list=not_in_internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=79.160.13.250
add address=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

I tried the following config, without luck:
Anything I forgot?

/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=Off-Bridge
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Norway .mode=ap .ssid=LightSpeed_Ute disabled=no
/interface vlan
add interface=bridgeLocal name=baseVLAN vlan-id=99
/interface list
add name=MANAGE
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=30
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=99
add bridge=bridgeLocal tagged=ether1 untagged=wifi1 vlan-ids=30
/interface list member
add interface=baseVLAN list=MANAGE
add interface=Off-Bridge list=MANAGE
/ip address
add address=192.168.7.50/24 interface=baseVLAN network=192.168.7.0
add address=192.168.55.1/30 interface=Off-Bridge network=192.168.55.0
/ip dhcp-client
add disabled=yes interface=bridgeLocal
/ip dns
set servers=192.168.7.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.7.1 routing-table=main
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=HAP_Ute
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.7.1
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool romon
set enabled=yes

(1) So I see all four vlans going to the switch, no problem there.
It could be shortened to one rule.

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=10,20,30,99

(2) What does not make sense to me at all is your interface list membership.
Does this makes sense to you.

BASE VLAN = MANAGEMENT VLAN correct?
Where all managed devices get their IP address correct?

Then why is WINBOX access, an admin management function given to employee vlan, lighspeed vlan and entire bridge but not the Base VLAN?
If you are serious about security
a. bridge gets nothing as its not a player once doing all vlans so bridge1 entries can and should be removed from interface list members config !
b. only Winbox Access list member should be the BASE VLAN and thefore THERE IS NO REQUIREMENT for winbox access list, you ONLY NEED the base vlan list,
so REMOVE winbox access totally!!.

(3) YOu have no dhcp_server network for BASE VLAN???
You have no dhcp server network for Employee vlan ???
Not sure of the purpose of the bridge subnet … very confused is this the home LAN??
if so, then give it its own vlan like vlan5.

You have no ports on the 2011 active except ether2 to the switch, so very confused with the setup.
I would personally enable ether10 and make it an off bridge access like the hapac… safer spot to do configuring!!

(4) You have no IP pool for BASE VLAN???
No IP pool for your weird bridge subnet???

(5) Conclusion REMOVE bridge from ip address, and interface lists, it serves no purpose and you config is a mixup of both!!!

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_ext_switch
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=no name=Off-Bridge10
set [ find default-name=sfp1 ] disabled=yes

/interface list
add name=WAN
add name=LAN
add name=BASE

/ip pool
add name=dhcp_pool_guest ranges=192.168.88.20-192.168.88.250
add name=dhcp_pool_lightspeed ranges=192.168.7.120-192.168.7.254
add name=dhcp_pool_base ranges=192.168.0.5-192.168.64.254
add name=dhcp_employee_vlan ranges=192.168.1.5-192.168.1.254

/ip dhcp-server
add address-pool=dhcp_pool_guest interface=GuestWIFI_VLAN lease-time=2h59m name=dhcp_server_guest
add address-pool=dhcp_pool_lightspeed interface=Lightspeed_VLAN lease-time=23h59m59s name=dhcp_server_lightspeed
add address-pool=dhcp_pool**base** interface=bridge1 lease-time=1h name=dhcp_serverbase
add address-pool=dhcp_pool**employee** interface=bridge1 lease-time=12h name=dhcpemployee

/ip neighbor discovery-settings
set discover-interface-list=BASE

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=10,20,30,40
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=LAN
add interface=GuestWIFI_VLAN list=LAN
add interface=Lightspeed_VLAN list=LAN
add interface=BASE_VLAN list=LAN
add interface=Off-Bridge10 list=LAN
add interface=BASE-VLAN=BASE
add interface=Employee_VLAN list=BASE comment=“limited by source IP in firewall address list”
add interface=Off-Bridge10 list=BASE

/ip address
add address=x.x.x.x/24 interface=eth1_WAN network=x.x.x.x
add address=192.168.0.1/24interface=BASE_VLAN network=192.168.0.0
add address=192.168.1.1/24 interface=Employee_VLAN network=192.168.1.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Lightspeed_VLAN network=192.168.7.0
add address=192.168.55.1/30 interface=Off-Bridge10 network=192.168.55.0

/ip dhcp-server network { dont add netmask manually }
add address=192.168.7.0/24 comment=“DHCP for Lightspeed” dns-server=8.8.8.8,192.168.7.1 gateway=192.168.7.1
add address=192.168.0.0/24 comment="DHCP for Base" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.88.0/24 comment=“DHCP for Guests” dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
add address=192.168.1.0/24 comment=“DHCP for Employees” dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1

Looking at Firewall rules, there is no requirement for anyone not on BASE VLAN to access the router.
If you need separate access because the admin is working normally from non base vlan, VLAN, then use source address list appropriately, not blanket inclusion to many!!!
Certainly cannot agree with allowing the complete guest vlan to be on the allowed to router???

/ip firewall address-list { via static dhcp leases }
add address=192.168.0.0/24 list=allowed_to_router comment=“entire BASE VLAN subnet”
add address=192.168.1.XX /32 list=allowed_to_router comment='admin pc on employee subnet"
add address=192.168.55.2/32 list=allowed_to_router comment=“admin off bridge access on ether10”

/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1 log=yes log-prefix=“accept local loopback CAPsMAN”

{ admin rules }
add action=accept chain=input comment="Admin ONLY access to Router" in-interface-list=BASE src-address-list=allowed_to_router
add action=accept chain=input comment=“Allow VLAN to DNS/NTP-UDP” dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow VLAN to DNS-TCP” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop All Else” log-prefix=DROP-FIREWALL
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“accept established,related” connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid log=yes log-prefix=invalid

{ admin rules }
add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat enabled=yes { disable or remove if not required }
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=LAN disabled=yes { disabled as no sense of purpose of rule? why this rule?? }
add action=drop chain=forward in-interface-list=BASE src-address-list=allowed to router out-interface-list=LAN comment=“admin access to all vlans”
add action=drop chain=forward comment=“DROP All Else”

Nothing else is needed. If there are real issues due to FW, then can discuss adding more.

Where is NTP SERVER, you have client to the internet but you can serve to the hap and caps from router!!! so all are in same sync.


/tool mac-server mac-winbox
set allowed-interface-list=BASE

1. Much better.

2. It did, but perhaps not

Yes, this is correct: BASE VLAN = MANAGEMENT VLAN correct?

The managed devices (mainly cAPs) get their IP from dhcp_server_ap_mgmt / dhcp_pool_ap_mgmt.

WINBOX access, all config is done from employee computers (there are only two in the office).
But perhaps better to give to base VLAN…?

Sounds good to me.

From the dhcp_server_ap_mgmt / dhcp_pool_ap_mgmt. But this was only implemented to give internet access for periodically auto-updating routeros/firmware.
Employee vlan, only two computers so they have static IPs (found it to be easier when Windows-sharing a printer).

bridge subnet (192.168.64.1 you mean?). I got help with this one. It was to give all the cAP ac local internet access for routeros/firmware updates.

Yes, only ether2 goes to to switch.
As we have 2 employee computers, 1 printer, 4-5 cAP ac, 1 HAP and 10 wired POS printers. I figured just put everything on the switch.
Perhaps not the best solution(?).
The highest priority is the Lightspeed network on the cAP ac + HAP + wired POS printers (all on 192.168.7.x). I forgot to tell, the Lightspeed “master” iPad is required to have IP 192.168.7.41 and every POS traffic (other iPads and receipt printers) goes via this iPad. So what ever setup would make this most efficient is what I’m after.
Guests and employees come second (employees just make orders a few times a day).

Sure ether10 off-bridge makes sense.

Yes, I should rather run an NTP server on the 2011, instead of all equipment syncing online.


I’ll try your new config. I wasn’t successful with the HAP ax lite. Will the new 2011 config take care of that?

And would there be changes to the config, after the questions above?

By all means modify as you desire.
Being truthful and accurate with requirements leads to quicker resolution and satisfaction.
Otherwise I fill gaps as I have to ASS U ME what the facts may be.

What I provided works, given the context provided.
There was no need for bridge dhcp
Base vlan is what all smart devices should be accessible from ( an IP on base vlan ).
Only add the vlans to the BASE interface list that the admin requires access to the router FROM, typically BASE subnet, and sometime normal work subnet, in this case the offbridge port and for example any wireguard external remote admin access. We narrow this down further by IP address in source address list especially when you include any subnets where others reside.

You should note very clear similarities to the hap config provided as they are similar except the Router adds the routing bits subnets…

Now to your newer hap config LOL
Looks fine to me!!

Its a basic AP/switch, as long as your wifi settings are okay, they are looking a bit sparse even for a simple wifi network.
Traffic comes in on ether1 and goes out wifi1 and you use vlan99 to manage the device.

After some tweaks, I finally made it work. I had to merge in a bit of my legacy code but I think I managed to implement all your suggestions.
Do you care to take a look? It seems to work, but there are many ways to get things to work.

(I did not manage to replace the firewall rules yet, as it was getting late yesterday and the restaurant is super busy Monday mornings).

RouterBoard:

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_ext_switch
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] name=Off-Bridge9
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
add interface=bridge1 name=Employee_VLAN vlan-id=10
add interface=bridge1 name=Gastrofix_VLAN vlan-id=30
add interface=bridge1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=bridge1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add authentication-types="" encryption="" name=security-guest
/caps-man configuration
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch06 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch06 security=security-guest ssid="Guest"
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid="Guest"
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid="Guest"
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid="Guest"
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid="Guest"
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid="Guest"
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid="Guest"
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid="Guest"
/caps-man interface
add configuration=cfg-2.4-gastrofix-ch06 disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none name=2.4GHz--AP_Bar-1 radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A
add configuration=cfg-2.4-guest-ch06 disabled=no l2mtu=1600 mac-address=C6:AD:34:14:34:2A master-interface=2.4GHz--AP_Bar-1 name=2.4GHz--AP_Bar-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD3414342A
add configuration=cfg-2.4-gastrofix-ch12 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none name=2.4GHz--AP_Chambre-1 radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C
add configuration=cfg-2.4-guest-ch12 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AA:6C master-interface=2.4GHz--AP_Chambre-1 name=2.4GHz--AP_Chambre-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AA6C
add configuration=cfg-2.4-gastrofix-ch13 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none name=2.4GHz--AP_Messanin-1 radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19
add configuration=cfg-2.4-guest-ch13 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AF:19 master-interface=2.4GHz--AP_Messanin-1 name=2.4GHz--AP_Messanin-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AF19
add configuration=cfg-2.4-gastrofix-ch11 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:76 master-interface=none name=2.4GHz--cAP-Kontor radio-mac=C4:AD:34:9E:E7:76 radio-name=C4AD349EE776
add configuration=cfg-5ghz-gastrofix-ch36 disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none name=5GHz--AP_Bar-1 radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B
add configuration=cfg-5ghz-guest-ch36 disabled=no l2mtu=1600 mac-address=C6:AD:34:14:34:2B master-interface=5GHz--AP_Bar-1 name=5GHz--AP_Bar-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD3414342B
add configuration=cfg-5ghz-gastrofix-ch48 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none name=5GHz--AP_Chambre-1 radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D
add configuration=cfg-5ghz-guest-ch48 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AA:6D master-interface=5GHz--AP_Chambre-1 name=5GHz--AP_Chambre-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AA6D
add configuration=cfg-5ghz-gastrofix-ch44 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none name=5GHz--AP_Messanin-1 radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A
add configuration=cfg-5ghz-guest-ch44 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AF:1A master-interface=5GHz--AP_Messanin-1 name=5GHz--AP_Messanin-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AF1A
add configuration=cfg-5ghz-gastrofix-ch40 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:77 master-interface=none name=5GHz--cAP-Kontor radio-mac=C4:AD:34:9E:E7:77 radio-name=C4AD349EE777
add configuration=cfg-2.4-guest-ch11 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:76 master-interface=2.4GHz--cAP-Kontor name=2.4GHz--cAP-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE776
add configuration=cfg-5ghz-guest-ch40 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:77 master-interface=5GHz--cAP-Kontor name=5GHz--cAP-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE777
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_base ranges=192.168.0.5-192.168.0.254
add name=dhcp_pool_employee ranges=192.168.1.5-192.168.1.254
add name=dhcp_pool_gastrofix ranges=192.168.7.120-192.168.7.254
add name=dhcp_pool_guest ranges=192.168.88.20-192.168.88.250
/ip dhcp-server
add address-pool=dhcp_pool_base interface=bridge1 lease-time=1h name=dhcp_server_base
add address-pool=dhcp_pool_employee interface=Employee_VLAN lease-time=12h name=dhcp_server_employee
add address-pool=dhcp_pool_gastrofix interface=Gastrofix_VLAN lease-time=23h59m59s name=dhcp_server_gastrofix
add address-pool=dhcp_pool_guest interface=GuestWIFI_VLAN lease-time=2h59m name=dhcp_server_guest
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="iPad master 5GHz" disabled=no interface=5GHz--AP_Bar-1 mac-address=4A:2A:24:83:F8:7D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad master 2.4GHz" disabled=no interface=2.4GHz--AP_Bar-1 mac-address=76:4E:69:5B:01:F2 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar side 5GHz" disabled=no interface=5GHz--AP_Bar-1 mac-address=F6:79:D9:4C:37:1B ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar side 2.4GHz" disabled=no interface=2.4GHz--AP_Bar-1 mac-address=0A:AA:DB:64:57:4B ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar corner 5GHz" disabled=no interface=5GHz--AP_Bar-1 mac-address=C2:88:DA:DF:7E:E7 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar corner 2.4GHz" disabled=no interface=2.4GHz--AP_Bar-1 mac-address=72:32:AA:29:7E:1B ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad messanin 5GHz" disabled=no interface=5GHz--AP_Messanin-1 mac-address=BA:47:74:E3:9C:2D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad messanin 2.4GHz" disabled=no interface=2.4GHz--AP_Messanin-1 mac-address=0E:D0:E6:E5:B2:69 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad chambre 5GHz" disabled=no interface=5GHz--AP_Chambre-1 mac-address=FE:DD:67:11:7C:68 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad chambre 2.4GHz" disabled=no interface=2.4GHz--AP_Chambre-1 mac-address=CA:B8:4E:87:4D:B5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment=Unknown disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch06 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:14:34:2A slave-configurations=cfg-2.4-guest-ch06
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:E7:76 slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=74:4D:28:F9:AA:6C slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=74:4D:28:F9:AF:19 slave-configurations=cfg-2.4-guest-ch13
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:E7:77 slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_Bar hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:14:34:2B slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=74:4D:28:F9:AF:1A slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- radio-mac=74:4D:28:F9:AA:6D slave-configurations=cfg-5ghz-guest-ch48
/interface bridge port
add bridge=bridge1 interface=eth2_ext_switch
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=10,20,30,99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=LAN
add interface=GuestWIFI_VLAN list=LAN
add interface=Gastrofix_VLAN list=LAN
add interface=BASE_VLAN list=BASE
add interface=BASE_VLAN list=LAN disabled=yes
add interface=Off-Bridge9 list=BASE
add interface=Employee_VLAN list=BASE comment="limited by source IP in firewall address list"
add interface=bridge1 list=BASE
add interface=bridge1 list=LAN
/ip address
add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.1.1/24 interface=Employee_VLAN network=192.168.1.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0
add address=192.168.55.1/30 interface=bridge1 network=192.168.55.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
/ip dhcp-server network
add address=192.168.0.0/24 comment="DHCP for Base" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.1.0/24 comment="DHCP for Employees" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=192.168.7.1,8.8.8.8 gateway=192.168.7.1
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.1.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.0.0.0/8 list=rfc1918
add address=172.16.0.0/12 list=rfc1918
add address=192.168.0.0/16 list=rfc1918
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=accept chain=input comment="Allow Access to Router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!rfc1918
add action=accept chain=forward comment="LAN Internet Access only" connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="BASE Internet Access only (gives internet locally on cAP)" connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=LAN
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=BASE
add action=drop chain=forward comment="DROP All Else"
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" in-interface-list=WAN src-address-list=not_in_internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=79.160.13.250
add address=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

hAP ax lite:

/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=Off-Bridge
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Norway .mode=ap .ssid=LightSpeed_Ute disabled=no
/interface vlan
add interface=bridgeLocal name=baseVLAN vlan-id=99
/interface list
add name=MANAGE
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool_gastrofix ranges=192.168.7.70-192.168.7.90
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=30
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=99
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=wifi1 vlan-ids=30
/interface list member
add interface=baseVLAN list=MANAGE
add interface=Off-Bridge list=MANAGE
add interface=ether1 list=WAN disabled=yes 
add interface=bridgeLocal list=LAN disabled=yes 
/ip address
add address=192.168.7.50/24 interface=baseVLAN network=192.168.7.0
add address=192.168.55.1/30 interface=bridgeLocal network=192.168.55.0
/ip dhcp-client
add interface=bridgeLocal disabled=yes
/ip dns
set servers=192.168.7.1,8.8.8.8
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.7.1 routing-table=main disabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=HAP_Ute
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.0.1
add address=79.160.13.250
add address=162.159.200.1
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool romon
set enabled=yes

Please take the time to implement firewall rules and all recommended changes then repost and ask for review.

I didn’t want to deploy a new set of rules until I knew the config itself was good. The old set of rules was working for many years.
Anyway, I deployed them, and everything broke. Even the dhcp for the employee machines.
Didn’t cause too much havoc since I did it during a service break (lunch to dinner transition).

RouterBoard:

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] name=Off-Bridge9
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_ext_switch
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
add interface=bridge1 name=Employee_VLAN vlan-id=10
add interface=bridge1 name=Gastrofix_VLAN vlan-id=30
add interface=bridge1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=bridge1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add authentication-types="" encryption="" name=security-guest
/caps-man configuration
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch06 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch06 security=security-guest ssid="Guest"
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid="Guest"
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid="Guest"
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid="Guest"
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid="Guest"
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid="Guest"
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid="Guest"
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid="Guest"
/caps-man interface
add configuration=cfg-2.4-gastrofix-ch06 disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none name=2.4GHz--AP_Bar-1 radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A
add configuration=cfg-2.4-guest-ch06 disabled=no l2mtu=1600 mac-address=C6:AD:34:14:34:2A master-interface=2.4GHz--AP_Bar-1 name=2.4GHz--AP_Bar-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD3414342A
add configuration=cfg-2.4-gastrofix-ch12 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none name=2.4GHz--AP_Chambre-1 radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C
add configuration=cfg-2.4-guest-ch12 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AA:6C master-interface=2.4GHz--AP_Chambre-1 name=2.4GHz--AP_Chambre-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AA6C
add configuration=cfg-2.4-gastrofix-ch13 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none name=2.4GHz--AP_Messanin-1 radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19
add configuration=cfg-2.4-guest-ch13 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AF:19 master-interface=2.4GHz--AP_Messanin-1 name=2.4GHz--AP_Messanin-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AF19
add configuration=cfg-2.4-gastrofix-ch11 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:76 master-interface=none name=2.4GHz--cAP-Kontor radio-mac=C4:AD:34:9E:E7:76 radio-name=C4AD349EE776
add configuration=cfg-5ghz-gastrofix-ch36 disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none name=5GHz--AP_Bar-1 radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B
add configuration=cfg-5ghz-guest-ch36 disabled=no l2mtu=1600 mac-address=C6:AD:34:14:34:2B master-interface=5GHz--AP_Bar-1 name=5GHz--AP_Bar-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD3414342B
add configuration=cfg-5ghz-gastrofix-ch48 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none name=5GHz--AP_Chambre-1 radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D
add configuration=cfg-5ghz-guest-ch48 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AA:6D master-interface=5GHz--AP_Chambre-1 name=5GHz--AP_Chambre-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AA6D
add configuration=cfg-5ghz-gastrofix-ch44 disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none name=5GHz--AP_Messanin-1 radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A
add configuration=cfg-5ghz-guest-ch44 disabled=no l2mtu=1600 mac-address=76:4D:28:F9:AF:1A master-interface=5GHz--AP_Messanin-1 name=5GHz--AP_Messanin-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28F9AF1A
add configuration=cfg-5ghz-gastrofix-ch40 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:77 master-interface=none name=5GHz--cAP-Kontor radio-mac=C4:AD:34:9E:E7:77 radio-name=C4AD349EE777
add configuration=cfg-2.4-guest-ch11 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:76 master-interface=2.4GHz--cAP-Kontor name=2.4GHz--cAP-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE776
add configuration=cfg-5ghz-guest-ch40 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:77 master-interface=5GHz--cAP-Kontor name=5GHz--cAP-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE777
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_guest ranges=192.168.88.20-192.168.88.250
add name=dhcp_pool_gastrofix ranges=192.168.7.120-192.168.7.254
add name=dhcp_pool_base ranges=192.168.0.5-192.168.0.254
add name=dhcp_pool_employee ranges=192.168.1.5-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool_gastrofix interface=Gastrofix_VLAN lease-time=23h59m59s name=dhcp_server_gastrofix
add address-pool=dhcp_pool_base interface=bridge1 lease-time=1h name=dhcp_server_base
add address-pool=dhcp_pool_guest interface=GuestWIFI_VLAN lease-time=2h59m name=dhcp_server_guest
add address-pool=dhcp_pool_employee interface=Employee_VLAN lease-time=12h name=dhcp_employee
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="iPad master 5GHz" disabled=no interface=5GHz--AP_Bar-1 mac-address=4A:2A:24:83:F8:7D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad master 2.4GHz" disabled=no interface=2.4GHz--AP_Bar-1 mac-address=76:4E:69:5B:01:F2 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar side 5GHz" disabled=no interface=5GHz--AP_Bar-1 mac-address=F6:79:D9:4C:37:1B ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar side 2.4GHz" disabled=no interface=2.4GHz--AP_Bar-1 mac-address=0A:AA:DB:64:57:4B ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar corner 5GHz" disabled=no interface=5GHz--AP_Bar-1 mac-address=C2:88:DA:DF:7E:E7 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad bar corner 2.4GHz" disabled=no interface=2.4GHz--AP_Bar-1 mac-address=72:32:AA:29:7E:1B ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad messanin 5GHz" disabled=no interface=5GHz--AP_Messanin-1 mac-address=BA:47:74:E3:9C:2D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad messanin 2.4GHz" disabled=no interface=2.4GHz--AP_Messanin-1 mac-address=0E:D0:E6:E5:B2:69 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad chambre 5GHz" disabled=no interface=5GHz--AP_Chambre-1 mac-address=FE:DD:67:11:7C:68 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="iPad chambre 2.4GHz" disabled=no interface=2.4GHz--AP_Chambre-1 mac-address=CA:B8:4E:87:4D:B5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment=Unknown disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch06 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:14:34:2A slave-configurations=cfg-2.4-guest-ch06
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:E7:76 slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=74:4D:28:F9:AA:6C slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=74:4D:28:F9:AF:19 slave-configurations=cfg-2.4-guest-ch13
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:E7:77 slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_Bar hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:14:34:2B slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=74:4D:28:F9:AF:1A slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- radio-mac=74:4D:28:F9:AA:6D slave-configurations=cfg-5ghz-guest-ch48
/interface bridge port
add bridge=bridge1 interface=eth2_ext_switch
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=10,20,30,99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=LAN
add interface=GuestWIFI_VLAN list=LAN
add interface=Gastrofix_VLAN list=LAN
add interface=BASE_VLAN list=BASE
add interface=Off-Bridge9 list=BASE
add comment="limited by source IP in firewall address list" interface=Employee_VLAN list=BASE
add interface=bridge1 list=BASE
add disabled=yes interface=BASE_VLAN list=LAN
add interface=bridge1 list=LAN
/ip address
add address=x.x.x.x/24 interface=eth1_WAN network=x.x.x.x
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.64.1/24 disabled=yes interface=bridge1 network=192.168.64.0
add address=192.168.1.1/24 interface=Employee_VLAN network=192.168.1.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0
add address=192.168.55.1/30 interface=bridge1 network=192.168.55.0
/ip dhcp-server network
add address=192.168.0.0/24 comment="DHCP for Base" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.1.0/24 comment="DHCP for Employees" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=192.168.7.1,8.8.8.8 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall address-list
add address=192.168.0.0/24 comment="entire BASE VLAN subnet" list=allowed_to_router
add address=192.168.1.20 comment="admin pc on employee subnet" list=allowed_to_router
add address=192.168.55.2 comment="admin off bridge access on ether9" list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
add action=accept chain=input comment="Admin ONLY access to Router" in-interface-list=BASE src-address-list=allowed_to_router
add action=accept chain=input comment="Allow VLAN to DNS/NTP-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow VLAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward disabled=yes dst-address=77.66.21.133 in-interface-list=LAN
add action=drop chain=forward comment="admin access to all vlans" in-interface-list=BASE out-interface-list=LAN src-address-list=allowed_to_router
add action=drop chain=forward comment="DROP All Else"
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" in-interface-list=WAN src-address-list=not_in_internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=79.160.13.250
add address=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

hAP ax lite:

/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=Off-Bridge
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Norway .mode=ap .ssid=LightSpeed_Ute disabled=no
/interface vlan
add interface=bridgeLocal name=baseVLAN vlan-id=99
/interface list
add name=MANAGE
/ip pool
add name=dhcp_pool_gastrofix ranges=192.168.7.70-192.168.7.90
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=30
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=99
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=wifi1 vlan-ids=30
/interface list member
add interface=baseVLAN list=MANAGE
add interface=Off-Bridge list=MANAGE
/ip address
add address=192.168.7.50/24 interface=baseVLAN network=192.168.7.0
add address=192.168.55.1/30 interface=bridgeLocal network=192.168.55.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dns
set servers=192.168.7.1,8.8.8.8
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=HAP_Ute
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.0.1
add address=79.160.13.250
add address=162.159.200.1
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool romon
set enabled=yes

Well since you use capsman, that may change the equation and I am unable to assist with that.
So stick to the rules that work for you, especially if the reason for posting has been solved.

Will do thanks for your help. It really saved me.
What change do I need to make to get local internet on the caps and hap? I need it for automatic routeros updates..

Review and config are advised with known facts and provided requirements, adding new ones at the end is too late.
Since I am not working on the firewall rules any longer, not sure how to solve that.
Typically that is what the Trusted or Management network is for, here the admin can access to update.
I would never autoupdate a version. I would read it first and then decide if its worth it.
For example I would never upgrade to a new version 7.15.0 I would wait until 7.15.1 or 7.15.2

Thanks. That’s true.

By the way, in my “/interface list member” I have what you recommended:

/interface list member
add interface=eth1_WAN list=WAN
add interface=GuestWIFI_VLAN list=LAN
add interface=Lightspeed_VLAN list=LAN
add interface=Employee_VLAN list=LAN
add interface=BASE_VLAN list=LAN
add interface=Off-Bridge10 list=LAN
add interface=Employee_VLAN list=BASE comment="limited by source IP in firewall address list"
add interface=BASE_VLAN list=BASE
add interface=Off-Bridge10 list=BASE

Should I also put the bridge1 on BASE and/or LAN?

add interface=bridge1 list=BASE
add interface=bridge1 list=LAN

Not required. Once you go vlans the bridge just does bridging and thus is not an interface list member.

I see, thanks.

I just discovered clients connected to the hAP ax lite, are assigned an IP, although it doesn’t have a local dhcp server. Is the RouterBoard assigning, since it’s on the 192.168.7.x net?

/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=Off-Bridge
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Norway .mode=ap .ssid=LightSpeed_Ute disabled=no
/interface vlan
add interface=bridgeLocal name=baseVLAN vlan-id=99
/interface list
add name=MANAGE
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=30
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=99
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=wifi1 vlan-ids=30
/interface list member
add interface=baseVLAN list=MANAGE
add interface=Off-Bridge list=MANAGE
/ip address
add address=192.168.7.50/24 interface=baseVLAN network=192.168.7.0
add address=192.168.55.1/30 interface=bridgeLocal network=192.168.55.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dns
set servers=192.168.7.1,8.8.8.8
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=HAP_Ute
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.0.1
add address=79.160.13.250
add address=162.159.200.1
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool romon
set enabled=yes